And then ignore them all! and attempt to make Potato Latkes!
and now off to whole foods and return with the things to make the stuff!

Here’s what I returned from Wholes Foods with! (I can walk there)YAY FOOD IN FOOD FORM THAT IS NOT READY FOR NOM! (Wait…what?!)
…Also if you look up a recipe to latkes… you’ll notice a lack of my flour ownership…. BUYING THIS IS HARD. K.

oh wells! I’mm just start doing the things like chopping. and adding heat!

So, what shall I do now. Find pan!I like big pans and I can not lie! You other chefs can’t deny!

I swear I didn’t tear up cutting the onion….(…I totally did though ;_; )
also… even though I might smell good. DO NOT LICK THE RAW ONION.
its not very tasty….(life pro tips by pronto)

So, Taters: check, Onions: check….EGG TIME

Those are some mighty fine eggs if I say so myself.
time to get violent. AND BEAT THEM

DIE EGGS DIE I END YOU. DIE DIE DIE DIE

now that the eggs are RIP. Time to butter the ban!
mmm butter.while the fire is doing it’s thing to the butter. lets check the eggs and add onions to them!

if you look closely YOU CAN SEE ONION IN THE EGG. OMG

so time to add salt. I put it in the egg stuff because I didn’t know what else to do with it…

….so, I failed pretty bad trying to open the salt.
IT’S NOT AN EASY PROCESS OKAY. -.-

LETS PUT THE CHOPPED TATERS ON THE HOT BIG PAN!:D FRY TATERS FRY!
So after that i let t hem fry some more. and added more butter. because butter.
who does not like butter!^_^

time for the EGG ONION MIXTURE (and more butter/ YES.)Egg! aww yeah! mmmm.so @corq on twitter was jealous. and gave awesome idea of GARLIC.
I didn’t think I had any.BUT FOUND OUT I OWN GARLIC POWDER! YAY!

THANKS FOR THIS AMAZE IDEA! mmm garlic (also proof I’m not a vampire!)

So I let it fry some more! and here’s the finished noms.

]]>https://pronto185.com/blog/2015/09/16/taters-check-eggs-check-onions-check-butter-check-lets-cook/feed/1ShmooCon 2015https://pronto185.com/blog/2015/01/20/shmoocon-2015/
https://pronto185.com/blog/2015/01/20/shmoocon-2015/#respondTue, 20 Jan 2015 20:29:11 +0000https://pronto185.com/?p=871Read more »]]>Once again I made it to ShmooCon, and once again I didn’t make it to most of the talks I wanted to. Instead I valued talking with people. Caught up with some amazing friends/acquaintances to hear the fun things they’re working on. Also met some new people! A few of them whose first hacker-con was this very ShmooCon. It’s amazing what you can learn just by hanging out in the chill-out room, hotel-bar, lobby, and the various room-parties.

If I met you this past weekend at shmoo, and you want to follow up on anything we discussed please leave comment here or email me at (justin@ifconfig.pro).

Talks I did make:

httpscreenshot – A Tool for Both Teams – Steve Breen and Justin Kennedy

httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.

In this talk, I’ll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I’ll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I’ll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I’ll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.

Andrew is someone who I first met at NovaHackers, and when I first met him I thought “This is someone to keep an eye on, he’s going to be doing some pretty awesome things”. Well Andrew, you have!
This talk had specific interest to me as one of my own projects is kinda about doing threat-Intel cheaply.

Firetalks!

Firetalks an event put on by @grecs of NovaInfosec. It’s a great event and I highly recommend attending. They’re short talks on people neat-projects/ideas, right to the good info with out a bunch of unneeded filler talk. My thoughts on each in sub-bullets
Watch the talks on irongeek.com here

Disclaimer, I was in a bit of a ‘oh god what just happened’ while watching this talk

…my talk was the first talk I’ve given

He brings up a LOT of really good points about how IP addressing is handled

If you’re at all interested in how the Internet works(and how it’s broken) watch this

Parties: this year I didn’t do the normal loud crazy parties, but instead went to ‘social gathering’ parties. I Was invited to REDLattice party, was promised good discussion and free beer. They delivered on both, if you get a chance to, go check them out in the future shmoocons to talk to some great people they invite. Also found myself at the #MexiCon party put on by ViciousData (they also sponsored shmoocon epilogue). Was also able to have some really fun and interesting conversations there.

People: Was able to put a lot of faces-to-names this year from irc/twitter folk, that’s always awesome. Though chances are if we meet again, you’ll have to remind me (I’m horrible at remembering names/faces, I remember things/events).
Unfortunately I also meant to meet up with a lot of people who were also there, but we missed each other :( oh well, there’s always the next hackercon!

]]>https://pronto185.com/blog/2015/01/07/protip-useful-things-from-swiftonsecurity/feed/0odd scapy issue (with work around!)https://pronto185.com/blog/2014/05/15/odd-scapy-issue-with-work-around/
https://pronto185.com/blog/2014/05/15/odd-scapy-issue-with-work-around/#respondThu, 15 May 2014 13:56:07 +0000https://pronto185.com/?p=844Read more »]]>with scapy i was trying to do a traceroute:

]]>https://pronto185.com/blog/2014/05/15/odd-scapy-issue-with-work-around/feed/0Slightly interesting find from sshrankinghttps://pronto185.com/blog/2014/03/06/slightly-interesting-find-from-sshranking/
https://pronto185.com/blog/2014/03/06/slightly-interesting-find-from-sshranking/#respondThu, 06 Mar 2014 20:12:38 +0000https://pronto185.com/?p=827Read more »]]>Found something somewhat interesting via my ssh-ranking project
for the IP 218.28.116.247 (info page | mirror )
So when I notice the attacker has some http server going, I like to take a screenshot of said server.
this IP got:So I downloaded those files, and ran file on them:

So yay, looks like I found some server that’s set up to host stuff for botnets:
Lets start with that C source code: (view it here)

The comment on the c code is: /*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
the first part is in Slovak: (google translate)
* Doval of Knajpa and stare from Wojtas again has nothing to do, kura.
* Gizdi, mate cosyk Here you will find the edge, while a Flow and blabbed.
* Anyway this is old as well as CYP jakesyk crack.

So it’s a rather old linux exploit. So this is most likely post-exploitation stuff (eg attacker already has user-level shell on a out of date linux box and will use this to get root)

lets take a look at the executables. I’m going to use my awesome reverse engineering skills here (aka, lets run strings on it)

Soon to follow: another server with the same HttpFileServer, but way different files. Also another with files via anonymous ftp

]]>https://pronto185.com/blog/2014/03/06/slightly-interesting-find-from-sshranking/feed/0How I use autosshhttps://pronto185.com/blog/2014/01/30/how-i-use-autossh/
https://pronto185.com/blog/2014/01/30/how-i-use-autossh/#respondFri, 31 Jan 2014 00:13:13 +0000https://pronto185.com/?p=815Read more »]]>autossh is nice little program that will auto restart ssh connections when they drop
This is extremely useful if you use ssh-tunnels a lot.

autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C.

Connection monitoring using a loop of port forwardings or a remote echo service.

Backs off on rate of connection attempts when experiencing rapid failures such as connection refused.

I have my raspberrypi at home using autossh to do a remote port foward of ssh to my server.

To set this up I created an account on my server I just for tunneling.
User called tunnel with the shell set to /bin/false
On the rpi I generated ssh-keys (with no password)

Toss the public key into the tunnel account of the remote servers ~/.ssh/authorized_keys

now test it with out auto ssh:

root@rpi:~# ssh -N -R 3333:localhost:22 tunnel@server
the -N is for no shell; the -R is forwarding the rpi’s ssh’d to your remote server on port 3333
now from the server you can do ssh user@localhost -p 3333 and login :D

Now for autossh!
i use autossh in cron; not _sure_ if that’s how its meant to be used… but it works very nicely
as roots , crontab -e
*/1 * * * * autossh -M 20001 -R 3333:localhost:22 -N tunnel@server
this will check the tunnel every minute, and if its not up it will bring it up

On linux boxes theres a file called /var/log/auth.log where all login attempts to the system are logged, and other things.
If you’ve ever run a linux box on the web with port 22 open you’ll know that it gets hit, and hit hard (especially so if your IP is in a well known ‘server range’ eg:linode.com)
Now most sane people will either just use fail2ban(or something similar) or change the ssh port.
But craycray people like myself like it when auth.log* gets filled up with these attempts for a fun dataset!

About the project:

This project mainly started as something to do using python, sql-alchemy, flask/jinja2 and other things.
What it does is parse though auth.log getting very failed login attempt and tosses it into a database.
then the web-part will query the DB and display interesting things, e.g: http://vps2.pronto185.com/ssh_rank/user/r00t which IP’s have tried the user name ‘r00t’
Remember this project is still in the early phases, and could be unstable. I wouldn’t run this on production boxes. If you want to see data from production boxes, I recommend moving the auth.logs off to some test-server and telling the sshrank.py to parse those

Whats next?:

Going to start doing more digging into the top offenders. Doing port scans, keeping an rdns history for changes, grab the whois data to compare with other offenders.
Also thinking about logging the passwords for failed attempts, Eric Gragsone had an interesting idea on how to do that with pam

‘This is neat, i want this’ and ‘how can i help?’

Get it running?

The readme on github should help you get started. note: it was tested on debain7.2 so if you use something else, you might have to do things different
i have gotten it working on python 2.7 and 2.6.6

How I help?

All the code is on github, feel free to fork/etc… and if I like your changes, I’ll merge it into the main one.
If you don’t know how to use github, I high recommend learning how to use it you can find a lot of links here to figure it out :)

Talk to ….me?!

Best way is via: irc(pronto on: efnet,freenode,snoonet,and other nets…) email: pronto185@gmail.com, or google chat/hangouts